Comment on Passkeys are generally available on GitHub

<- View Parent
Asudox@lemmy.world ⁨1⁩ ⁨year⁩ ago

It has its own pros. The biggest one is that it uses asymmetric cryptography. This means that the only one that can sign a challenge given by the server is the one that has the private key equivalent of the public key the challenge was used to be encrypted with. The challenge is sent to the client, in which the client signs the challenge the server sent with their private key and then sent back to the server. Since the server has the public key, the server can verify whether the signature is indeed from the private key owner. This is the reason why it is phish proof. Though I am not sure whether a phisher can just take the challenge, let the victim sign it and then give back the challenge to login. Can anyone confirm that?

source
Sort:hotnewtop